If you’ve not heard of it, Cyber Essentials is a government-backed cyber security certification scheme.
The aim of the certification is to set out a good baseline of cyber security for all organisations across all sectors and provide a manageable, cost-effective framework which demonstrates the presence of essential controls and can be assessed relatively quickly.
The scheme addresses five key controls and claims that when these controls are implemented correctly, they can prevent around 80% of cyber-attacks. Certification is available at two levels; Cyber Essentials and Cyber Essentials Plus and the scheme was launched in June 2014.
Cyber Essentials is the basic level and is based on self-certification that is independently verified by a certified company on an annual basis. Depending on the complexity of the company and systems around £300 covers self-certification however many opt to have a full audit and support package and this can cost up to £1500. In order to achieve Cyber Essentials Plus you’ll need to first achieve Cyber Essentials and then budget at least £1,500 and probably a lot more dependent on the level of consultancy and systems tests required.
Cyber Essentials is a good, low cost, basic cyber security framework that small businesses should certainly consider. There are lots of advantages and any exercise in reviewing the cyber risk your organisation could face is very much worthwhile. If you’re a business owner who really doesn’t know where to start a framework like Cyber Essentials is particularly useful.
Potentially there are commercial benefits, it is now a mandatory requirement for anyone in the supply chain of central government contracts that involve personal information or certain IT or communications products and services. Having a recognised ‘Mark’ for cyber security might also provide a USP and give a small business competitive advantage – particularly with cyber-attacks such big news at the moment.
The new General Data Protection Regulations kick in from May next year and whilst Cyber Essentials is certainly no magic bullet GDPR is about risk assessment and mitigation – Cyber Essentials, done properly, is certainly going to assist with both of these areas.
And we think that’s the key right there. DONE PROPERLY.
Google “Cyber Essentials Certification” and there already appears to be a price war breaking out with organisations appearing to offer ‘guaranteed’ certification for a fixed price. This is concerning, the main benefit should be in the PROCESS of achieving accreditation NOT in the accreditation itself.
If certification becomes a tick box exercise then it is a major opportunity lost and of little benefit to the organisation.
It is unlikely that most SME’s, and we are aware that is a generalisation, would be in a position to carry out the thorough audit that’s really needed to answer the self-assessment questionnaire.
If your business has an IT Support Company or Managed Service Provider (MSP) then they may well be taking care of some of the elements that are required for the certification, however this is still going to require some in-house input. Take the issue of user accounts. The sample questionnaire for Cyber Essentials asks in several places if accounts that are no longer in use are removed or disabled, this is something your provider would probably do but you have to inform them when people leave. There is a similar issue with access to files, the technical aspect will be carried out by your MSP, but deciding who needs access to what is a company decision.
What we’re trying to get across here, and we may have gone off on a slight tangent, is that a business cannot expect Cyber Essentials, nor indeed any element of Cyber Security, to be done ‘for’ or ‘to’ them. Responsibility starts and ends with the business itself, and GDPR (there’s that lovely acronym again!) means that this is something every business should be looking at.
Going back to the initial question then Cyber Essentials is not ‘essential’ unless you’re wanting to bid for certain government contracts or private sector tenders but if you’ve no other framework and are unsure as to how to embed cyber security into your business then, done properly and in partnership with experts, this certification is a good starting point for any organisation.
When it comes to the other elements of cyber security including things such as audits, policies and procedures, certification, penetration testing, cyber forensics etc. we work with specially selected partners. People who, like us, specialise.
If you are interested in any element of cyber security please call us today or email firstname.lastname@example.org we’ll be happy to talk, offer a free review of your current arrangements and suggest improvements which can fit any budget.
For a FREE initial consultation please call us on 0115 822 0200.
To see an example of the Cyber Essentials Questionnaire visit the National Cyber Security Centre site.